Kerberos Authentication Support for Web Client
Prerequisites
To perform Kerberos authentication:
-
Check that all Machines required for Kerberos setup are in the same domain.
Example: TA KERBEROS.COM.
-
Kerberos setup for CM requires minimum of four boxes in the same domain with administrator rights:
Active Directory Box with domain controller:
Example: named as TA KDC
Client Manager Box
Example: named as TA APP
Master Box
Example: named as TA MASTER
Client Browser Box
Example: named as TA CLI
-
Ensure that the all boxes are reachable from each other through these commands:
ping <hostname> or <IP address>
nslookup <hostname> or <IP address>
-
Create required users on the AD. A specific user is required to start the client manager service. For example, appuser.
-
Configure the users to support AES 256 encryption. For more information, see Configuring Users.
Configuring Users
After the creation of user accounts, navigate to Account tab and choose This account supports Kerberos AES 256 bit encryption as Account option.
Creating Service Principal Name/Key Tab File And Updating JCE jars to JDK
To create service prinicipal name/key tab file and updating JCE jars:
-
Open a command prompt in AD box.
-
Create SPN for the client manager box user who starts the client manager service. This SPN creation is a mapping between the client manager box user and service running on the client manager box.
-
Enter this command to ensure that there are no SPNs registered for that user:
setspn -l <client manager user>
Example:
setspn -l appuser
c:\Users\Administrator>setspn -1 browseruser Registered ServicePrinicpalNames for CN=browseruser, OU=dev, DC=TA kerberos, DC=com
To add the SPN user, enter the command:
setspn -s <service name> <client manager user>Example: setspn -s HTTP/TA app.TA kerberos.com appuser
To add all possibilities for the service, add:
Example: setspn -s HTTP/TA app appuser
To ensureregistration for all, enter the below command:
Example: c:\Users\Administrator>setspn -1 appuser
Registered ServicePrincipalNames for CN=appuser, CN=Users, DC=TA kerberos, DC=com; HTTP/TA app.TA kerberos.com HTTP/TA pp
-
Navigate to the AD box and users section to choose the client manager user (appuser).
-
Click Delegation tab and choose Trust this user for delegation to any service (Kerberos only).
Note: This Delegation Tab is enabled only when the user is registered for any service principal.
-
Create the Key tab file which is the authorization token for client manager user (appuser).
-
Enter this command on the command prompt:
ktpass -out <keytab location> -princ <SPN>@<realm name> -mapUser <domain\client manager user name>
-mapOp set -pass <password> -crypto <crypto> -pType KRB5_NT_PRINCIPALExample: ktpass -out c:\temp\appuser.keytab -princ HTTP/TA app.TA kerberos.com@TA KERBEROS.COM -mapUser TA kerberos\appuser -mapOp set -pass control@123 -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL
-
Copy the key tab file from AD box to the client manager box.
-
Add JCE jars to JDK (or JRE) to support unlimited strength cryptographic functions by these steps:
-
Download the JCE Unlimited Strength Jurisdiction Policy Files jce_policy-8.zip (for Java 8) from the Oracle platform.
The zip file contain two jar files : local_policy.jar, US_export_policy.jar a README.txt and a COPYRIGHT.html file.
-
Apply the .jar files into the actual JDK that is being run.
Note: There are two directories namely JDK and JRE directory (For example JDK1.8 and JRE1.8).
-
Copy the two .jar files from the zip file, and replace the ones in the JDK distribution of the JRE.
Example: /jdk1.8.0_37/jre/lib/security/ and /jre1.8.0_37/lib/security/ directories
-
Configuring the Client Manager for Kerberos
To configure the Client Manager:
-
Ensure that the Kerberos setup for the Client Manager has these artifacts: spnego.conf file, krb5.ini file, and spnego.properties file.
-
Ensure that you create, configure and place the above files in the config folder of the Client Manager for Unix.
Contents of the spengo.conf file:
com.sun.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/TA app.TA kerberos.com@TA KERBEROS.COM" <SPN with realm> keyTab="c:/temp/appuser.keytab" <location of the key tab file> useKeyTab=true
storeKey=true debug=true isInitiator=false;
};
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule requiredprincipal="HTTP/TA app.TA kerberos.com@TA KERBEROS.COM" <SPN with realm>
useKeyTab=true
keyTab="c:/temp/appuser.keytab" <location of the key tab file>
storeKey=true debug=true isInitiator=false;
};
Contents of the krb5.ini file:
[libdefaults]
default_realm = TA KERBEROS.COM <domain name>
default_keytab_name = c:/temp/appuser.keytab <key tab file location> permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
[realms]
TA KERBEROS.COM = {kdc = 172.21.243.238 <IP address of the AD box>
admin_server = 172.21.243.238
default_domain = TA KERBEROS.COM
}
[domain_realm]
TA kerberos.com= TA KERBEROS.COM
.TA kerberos.com = TA KERBEROS.COM
[appdefaults] autologin = true forwardable = true
Contents of the spnego.properties file:
targetName = HTTP/TA app.TA kerberos.com@TA KERBEROS.COM
-
Edit the clientmgr.props and add this configuration:
Flag to set Kerberos mode. If set to false, the Client Manager works in Basic authentication mode through AD/LDAP.
Security.isKerberos=true
Domain name
Security.Kerberos.domainRealm=TA KERBEROS.COM
Location of the krb5.ini file
Example: Windows: Security.Kerberos.krbPath=C:\\Program Files\\Tidal\\Client Manager\\config\\krb5.ini
Example: Unix: Security.Kerberos.krbPath=/opt/temp/krb5.ini
Location of the spnego.conf file
Example: Windows:
Security.Kerberos.loginConfPath= C:\\Program Files\\Tidal\\Client Manager\\config\\spnego.confExample: UnixSecurity.Kerberos.loginConfPath=/opt/temp/spnego.conf
Location of the spnego.properties file
Example: Windows:
Security.Kerberos.spengoTargetPath= C:\\Program Files\\Tidal\\Client Manager\\config\\spnego.propertiesExample: Unix: Security.Kerberos.spengoTargetPath=/opt/temp/spnego.properties
Logging flags
Security.Kerberos.spengoDebug=all Security.Kerberos.krbDebug=true ClientManagerLog=FINE
JVMARGS= -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.StdErrLog
-Dorg.eclipse.jetty.LEVEL=DEBUG -Djavax.net.debug=ssl
Domain name
Security.Kerberos.krbRealm=TA KERBEROS.COM
AD box hostname
Security.Kerberos.KDCHostName=TA kdc.TA kerberos.com
LDAP attributes for UserName
Security.Kerberos.UseLdapAttributeForUserName=UPN
Configuring Browsers for Kerberos Authentication
To configure the browsers for Kerberos authentication:
-
Internet Explorer
-
Navigate to Tools > Options > Security > Local Intranet > Sites (all should be selected) Windows Server version does not have this option.
-
Navigate to Tools > Options > Security> Local Intranet > Sites> Advanced (add URL to server (http:// and https:// use the hostname). Windows Server version does not have this option.
Example: http://TA app.TA kerberos.com:8080/client https://TA app.TA kerberos.com:8080/client.
-
Navigate to Tools > Options > Security > Trusted Sites > Sites (add this website to the zone (http:// and https:// use the hostname)
Example: http://TA app.TA kerberos.com:8080/client https://TA app.TA kerberos.com:8080/client.
-
Navigate to Tools > Options > Security > Trusted Sites.
-
Navigate to Tools > Options > Security > Trusted Sites, and click Custom level. Under Security Settings, choose User Authentication and select Automatic login with current user and password.
-
Go to Tools > Options > Advanced.
-
Click Enable Integrated Windows Authentication option.
-
Close IE. Then, launch IE and browse the CM URL.
-
-
Firefox
-
Browse to about:config and agree to the warnings.
-
Search for network settings.
-
Set network.negotiate-auth.delegation-uris to http://,https://.
-
Set network.negotiate-auth.trusted-uris to http://,https://.
-
Browse the CM URL.
-
Launch the CM URL.
-
Note: Ensure that the login is done without prompting for the credentials.